For local validation, the client application attempts to authenticate to the database as follows:
- When the client authenticates, the Gateway sends the client a configuration response containing the ClientId (such as sso-dev) and the IdpUrL (such as https://sso-idp-dev.iam.teradatacloud.io/.well-known/openid-configuration). This information is defined in the TdgssUserConfigFile.xml in the <GlobalValues> section.
- The client then requests a JWT token from the external IdP.
- The client sends the JWT to the Gateway to log the session on.
- The Gateway validates the token:
- TDGSS examines the payload to get the issuer claim.
- TDGSS gets the External IdP issuer claim from the TDGSS configuration.
- TDGSS compares the External IdP issuer and the JWT “iss” claim.
If the two issuers match, TDGSS validates the connection locally. Gateway validates with a key that corresponds to the token. The key is retrieved from the JWK URI, which is published by IdP as OpenId Connect configuration (https://<External IdP url>/.well-known/openid-configuration).
To configure the JWT mechanism for local validation, see Local Validation.